From d991e21fc15b7b47778ed6941f9f94a7a835da82 Mon Sep 17 00:00:00 2001 From: Adrian Date: Sun, 24 May 2020 12:24:00 +0200 Subject: [PATCH 1/2] Improve iptables and add port knocking for SSH --- iptables/README.md | 7 +++++-- iptables/blackwhite.rules | 16 ++++++++++++++++ iptables/default.rules | 2 +- iptables/iptables.service | 4 ++-- iptables/knock.rules | 10 ++++++++++ iptables/ratelimit.rules | 13 ------------- ssh/sshd_config | 2 -- 7 files changed, 34 insertions(+), 20 deletions(-) create mode 100644 iptables/blackwhite.rules create mode 100644 iptables/knock.rules diff --git a/iptables/README.md b/iptables/README.md index fc67e5c..fbb22e8 100644 --- a/iptables/README.md +++ b/iptables/README.md @@ -1,9 +1,10 @@ # Iptables ```sh -sudo cp *.rules /etc +sudo cp default.rules empty.rules /etc sudo cp *.service /etc/systemd/system sudo systemctl enable iptables +sudo systemctl start iptables ``` ## Apply and Report Rate Limits @@ -12,5 +13,7 @@ The `ratelimit.rules` file adds new chains to limit the rate of new connections based on /16 subnets. ```sh -sudo iptables-restore -n < ratelimit.rules +sudo iptables-restore -n blackwhite.rules +sudo iptables-restore -n knock.rules +sudo iptables-restore -n ratelimit.rules ``` diff --git a/iptables/blackwhite.rules b/iptables/blackwhite.rules new file mode 100644 index 0000000..c8ddcc8 --- /dev/null +++ b/iptables/blackwhite.rules @@ -0,0 +1,16 @@ +*raw +:BLACKLIST - +:WHITELIST - + +-A PREROUTING -j BLACKLIST +-A PREROUTING -j WHITELIST + +-A BLACKLIST -s 46.229.160.0/20 -m comment --comment SEMrushBot -j DROP +-A BLACKLIST -s 114.119.160.0/21 -m comment --comment AspiegelBot -j DROP + +-A WHITELIST -s 127.0.0.0/8 -m comment --comment localhost -j ACCEPT +-A WHITELIST -s 10.0.0.0/8 -m comment --comment "RFC 1918" -j ACCEPT +-A WHITELIST -s 172.16.0.0/12 -m comment --comment "RFC 1918" -j ACCEPT +-A WHITELIST -s 192.168.0.0/16 -m comment --comment "RFC 1918" -j ACCEPT + +COMMIT diff --git a/iptables/default.rules b/iptables/default.rules index f6c250b..0c5357c 100644 --- a/iptables/default.rules +++ b/iptables/default.rules @@ -6,10 +6,10 @@ -A INPUT -j SERVICE -A CONNECTION -i lo -j ACCEPT -A CONNECTION -m state --state RELATED,ESTABLISHED -j ACCEPT +-A SERVICE -p tcp --dport 22 -j ACCEPT -A SERVICE -p tcp --dport 25 -j ACCEPT -A SERVICE -p tcp --dport 80 -j ACCEPT -A SERVICE -p tcp --dport 143 -j ACCEPT -A SERVICE -p tcp --dport 443 -j ACCEPT --A SERVICE -p tcp --dport 22222 -j ACCEPT -A SERVICE -p udp --dport 53 -j ACCEPT COMMIT diff --git a/iptables/iptables.service b/iptables/iptables.service index 45847f3..3e0f042 100644 --- a/iptables/iptables.service +++ b/iptables/iptables.service @@ -5,8 +5,8 @@ Wants=network-pre.target [Service] Type=oneshot -ExecStart=iptables-restore /etc/default.rules -ExecStop=iptables-restore /etc/empty.rules +ExecStart=iptables-restore -c /etc/default.rules +ExecStop=iptables-save -c -f /etc/default.rules ; iptables-restore /etc/empty.rules RemainAfterExit=yes [Install] diff --git a/iptables/knock.rules b/iptables/knock.rules new file mode 100644 index 0000000..12baa08 --- /dev/null +++ b/iptables/knock.rules @@ -0,0 +1,10 @@ +*raw +:KNOCK - + +-A PREROUTING -p tcp -m tcp --tcp-flags SYN,ACK SYN -j KNOCK + +-A KNOCK -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 30 --reap --name SSHOK -j RETURN +-A KNOCK -p tcp -m tcp --dport 22222 -m recent --set --name SSHOK -j DROP +-A KNOCK -p tcp -m tcp --dport 22 -j DROP + +COMMIT diff --git a/iptables/ratelimit.rules b/iptables/ratelimit.rules index c5dc31a..39af6c6 100644 --- a/iptables/ratelimit.rules +++ b/iptables/ratelimit.rules @@ -1,23 +1,10 @@ *raw -:BLOCK - :RATELIMIT - -:WHITELIST - --A PREROUTING -j WHITELIST --A PREROUTING -j BLOCK -A PREROUTING -p tcp -m tcp --tcp-flags SYN,ACK SYN -j RATELIMIT --A BLOCK -s 46.229.160.0/20 -m comment --comment SEMrushBot -j DROP --A BLOCK -s 114.119.160.0/21 -m comment --comment AspiegelBot -j DROP - --A RATELIMIT -p tcp -m tcp --dport 22222 -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name ratelimit-ssh --hashlimit-srcmask 16 -j DROP -A RATELIMIT -p tcp -m tcp --dport 25 -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 4 --hashlimit-mode srcip --hashlimit-name ratelimit-smtp --hashlimit-srcmask 16 -j DROP -A RATELIMIT -p tcp -m tcp --dport 143 -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 4 --hashlimit-mode srcip --hashlimit-name ratelimit-imap --hashlimit-srcmask 16 -j DROP -A RATELIMIT -m hashlimit --hashlimit-above 4/hour --hashlimit-burst 16 --hashlimit-mode srcip,dstport --hashlimit-name ratelimit-other --hashlimit-srcmask 16 -j DROP --A WHITELIST -s 127.0.0.0/8 -m comment --comment localhost -j ACCEPT --A WHITELIST -s 10.0.0.0/8 -m comment --comment "RFC 1918" -j ACCEPT --A WHITELIST -s 172.16.0.0/12 -m comment --comment "RFC 1918" -j ACCEPT --A WHITELIST -s 192.168.0.0/16 -m comment --comment "RFC 1918" -j ACCEPT - COMMIT diff --git a/ssh/sshd_config b/ssh/sshd_config index fb33505..39438bd 100644 --- a/ssh/sshd_config +++ b/ssh/sshd_config @@ -1,9 +1,7 @@ UseDNS no -Port 22222 AllowUsers sshlogin git backup-* ClientAliveInterval 10 -LoginGraceTime 10 MaxAuthTries 2 Match User backup-* From 02a7247fa08abbdb8b919983f973f19ee7a66921 Mon Sep 17 00:00:00 2001 From: Adrian Date: Sat, 4 Jul 2020 12:50:45 +0200 Subject: [PATCH 2/2] Use ipset for blacklists and whitelists --- iptables/README.md | 21 +++++++++++++-------- iptables/blackwhite.rules | 11 ++++------- iptables/connection.rules | 6 ++++++ iptables/ipset.rules | 8 ++++++++ iptables/ipset.service | 13 +++++++++++++ iptables/{default.rules => service.rules} | 4 ---- 6 files changed, 44 insertions(+), 19 deletions(-) create mode 100644 iptables/connection.rules create mode 100644 iptables/ipset.rules create mode 100644 iptables/ipset.service rename iptables/{default.rules => service.rules} (69%) diff --git a/iptables/README.md b/iptables/README.md index fbb22e8..cd17318 100644 --- a/iptables/README.md +++ b/iptables/README.md @@ -1,18 +1,23 @@ -# Iptables +# iptables & ipset ```sh -sudo cp default.rules empty.rules /etc -sudo cp *.service /etc/systemd/system -sudo systemctl enable iptables -sudo systemctl start iptables +sudo apt install ipset ``` -## Apply and Report Rate Limits +```sh +sudo cp empty.rules /etc +sudo touch /etc/{default,ipset}.rules +sudo cp *.service /etc/systemd/system +sudo systemctl enable iptables ipset +sudo systemctl start iptables ipset +``` -The `ratelimit.rules` file adds new chains to -limit the rate of new connections based on /16 subnets. +## Presets ```sh +sudo ipset restore -f ipset.rules +sudo iptables-restore -n connection.rules +sudo iptables-restore -n service.rules sudo iptables-restore -n blackwhite.rules sudo iptables-restore -n knock.rules sudo iptables-restore -n ratelimit.rules diff --git a/iptables/blackwhite.rules b/iptables/blackwhite.rules index c8ddcc8..1b4f276 100644 --- a/iptables/blackwhite.rules +++ b/iptables/blackwhite.rules @@ -2,15 +2,12 @@ :BLACKLIST - :WHITELIST - --A PREROUTING -j BLACKLIST -A PREROUTING -j WHITELIST +-A PREROUTING -j BLACKLIST --A BLACKLIST -s 46.229.160.0/20 -m comment --comment SEMrushBot -j DROP --A BLACKLIST -s 114.119.160.0/21 -m comment --comment AspiegelBot -j DROP +-A BLACKLIST -m set --match-set blacklist src -j DROP --A WHITELIST -s 127.0.0.0/8 -m comment --comment localhost -j ACCEPT --A WHITELIST -s 10.0.0.0/8 -m comment --comment "RFC 1918" -j ACCEPT --A WHITELIST -s 172.16.0.0/12 -m comment --comment "RFC 1918" -j ACCEPT --A WHITELIST -s 192.168.0.0/16 -m comment --comment "RFC 1918" -j ACCEPT +-A WHITELIST -m set --match-set local src -j ACCEPT +-A WHITELIST -m set --match-set whitelist src -j ACCEPT COMMIT diff --git a/iptables/connection.rules b/iptables/connection.rules new file mode 100644 index 0000000..1db8c9d --- /dev/null +++ b/iptables/connection.rules @@ -0,0 +1,6 @@ +*filter +:CONNECTION - +-A INPUT -j CONNECTION +-A CONNECTION -i lo -j ACCEPT +-A CONNECTION -m state --state RELATED,ESTABLISHED -j ACCEPT +COMMIT diff --git a/iptables/ipset.rules b/iptables/ipset.rules new file mode 100644 index 0000000..91b5d4f --- /dev/null +++ b/iptables/ipset.rules @@ -0,0 +1,8 @@ +create local hash:net +create whitelist hash:net +create blacklist hash:net + +add local 127.0.0.0/8 +add local 10.0.0.0/8 +add local 172.16.0.0/12 +add local 192.168.0.0/16 diff --git a/iptables/ipset.service b/iptables/ipset.service new file mode 100644 index 0000000..5c24b00 --- /dev/null +++ b/iptables/ipset.service @@ -0,0 +1,13 @@ +[Unit] +Description=ipset +Before=network-pre.target iptables.service +Wants=network-pre.target + +[Service] +Type=oneshot +ExecStart=ipset restore -f /etc/ipset.rules +ExecStop=ipset save -f /etc/ipset.rules ; ipset destroy +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/iptables/default.rules b/iptables/service.rules similarity index 69% rename from iptables/default.rules rename to iptables/service.rules index 0c5357c..7fdb8eb 100644 --- a/iptables/default.rules +++ b/iptables/service.rules @@ -1,11 +1,7 @@ *filter :INPUT DROP -:CONNECTION - :SERVICE - --A INPUT -j CONNECTION -A INPUT -j SERVICE --A CONNECTION -i lo -j ACCEPT --A CONNECTION -m state --state RELATED,ESTABLISHED -j ACCEPT -A SERVICE -p tcp --dport 22 -j ACCEPT -A SERVICE -p tcp --dport 25 -j ACCEPT -A SERVICE -p tcp --dport 80 -j ACCEPT